Add role-based filtering and imporve code

2025-10-15 16:12:49 +02:00
parent 96ad5c6692
commit 8f9e9a7edc
158 changed files with 11033 additions and 1544 deletions
--- a/services/sales/Dockerfile
+++ b/services/sales/Dockerfile
@@ -17,9 +17,13 @@ RUN apt-get update && apt-get install -y \
    && rm -rf /var/lib/apt/lists/*

 # Copy requirements
+COPY shared/requirements-tracing.txt /tmp/
+
 COPY services/sales/requirements.txt .

 # Install Python dependencies
+RUN pip install --no-cache-dir -r /tmp/requirements-tracing.txt
+
 RUN pip install --no-cache-dir -r requirements.txt

 # Copy shared libraries from the shared stage
--- a/services/sales/app/api/analytics.py
+++ b/services/sales/app/api/analytics.py
@@ -11,6 +11,7 @@ import structlog

 from app.services.sales_service import SalesService
 from shared.routing import RouteBuilder
+from shared.auth.access_control import analytics_tier_required

 route_builder = RouteBuilder('sales')
 router = APIRouter(tags=["sales-analytics"])
@@ -25,13 +26,14 @@ def get_sales_service():
@router.get(
    route_builder.build_analytics_route("summary")
 )
+@analytics_tier_required
 async def get_sales_analytics(
    tenant_id: UUID = Path(..., description="Tenant ID"),
    start_date: Optional[datetime] = Query(None, description="Start date filter"),
    end_date: Optional[datetime] = Query(None, description="End date filter"),
    sales_service: SalesService = Depends(get_sales_service)
 ):
-    """Get sales analytics summary for a tenant"""
+    """Get sales analytics summary for a tenant (Professional+ tier required)"""
    try:
        analytics = await sales_service.get_sales_analytics(tenant_id, start_date, end_date)

--- a/services/sales/app/api/sales_records.py
+++ b/services/sales/app/api/sales_records.py
@@ -19,11 +19,15 @@ from app.services.sales_service import SalesService
 from shared.auth.decorators import get_current_user_dep
 from shared.auth.access_control import require_user_role
 from shared.routing import RouteBuilder
+from shared.security import create_audit_logger, AuditSeverity, AuditAction

 route_builder = RouteBuilder('sales')
 router = APIRouter(tags=["sales-records"])
 logger = structlog.get_logger()

+# Initialize audit logger
+audit_logger = create_audit_logger("sales-service")
+

 def get_sales_service():
    """Dependency injection for SalesService"""
@@ -169,24 +173,53 @@ async def update_sales_record(
@router.delete(
    route_builder.build_resource_detail_route("sales", "record_id")
 )
+@require_user_role(['admin', 'owner'])
 async def delete_sales_record(
    tenant_id: UUID = Path(..., description="Tenant ID"),
    record_id: UUID = Path(..., description="Sales record ID"),
+    current_user: Dict[str, Any] = Depends(get_current_user_dep),
    sales_service: SalesService = Depends(get_sales_service)
 ):
-    """Delete a sales record"""
+    """Delete a sales record (Admin+ only)"""
    try:
+        # Get record details before deletion for audit log
+        record = await sales_service.get_sales_record(record_id, tenant_id)
+
        success = await sales_service.delete_sales_record(record_id, tenant_id)

        if not success:
            raise HTTPException(status_code=404, detail="Sales record not found")

+        # Log audit event for sales record deletion
+        try:
+            from app.core.database import get_db
+            db = next(get_db())
+            await audit_logger.log_deletion(
+                db_session=db,
+                tenant_id=str(tenant_id),
+                user_id=current_user["user_id"],
+                resource_type="sales_record",
+                resource_id=str(record_id),
+                resource_data={
+                    "product_name": record.product_name if record else None,
+                    "quantity_sold": record.quantity_sold if record else None,
+                    "sale_date": record.date.isoformat() if record and record.date else None
+                } if record else None,
+                description=f"Deleted sales record for {record.product_name if record else 'unknown product'}",
+                endpoint=f"/sales/{record_id}",
+                method="DELETE"
+            )
+        except Exception as audit_error:
+            logger.warning("Failed to log audit event", error=str(audit_error))
+
        logger.info("Deleted sales record", record_id=record_id, tenant_id=tenant_id)
        return {"message": "Sales record deleted successfully"}

    except ValueError as ve:
        logger.warning("Error deleting sales record", error=str(ve), record_id=record_id)
        raise HTTPException(status_code=400, detail=str(ve))
+    except HTTPException:
+        raise
    except Exception as e:
        logger.error("Failed to delete sales record", error=str(e), record_id=record_id, tenant_id=tenant_id)
        raise HTTPException(status_code=500, detail=f"Failed to delete sales record: {str(e)}")
--- a/services/sales/app/models/init.py
+++ b/services/sales/app/models/init.py
@@ -1,5 +1,12 @@
+
+# Import AuditLog model for this service
+from shared.security import create_audit_log_model
+from shared.database.base import Base
+
+# Create audit log model for this service
+AuditLog = create_audit_log_model(Base)
 # services/sales/app/models/__init__.py

 from .sales import SalesData, SalesImportJob

-__all__ = ["SalesData", "SalesImportJob"]
+__all__ = ["SalesData", "SalesImportJob", "AuditLog"]
--- a/services/sales/migrations/versions/20251015_1228_1949ed96e20e_initial_schema_20251015_1228.py
+++ b/services/sales/migrations/versions/20251015_1228_1949ed96e20e_initial_schema_20251015_1228.py
@@ -1,18 +1,18 @@
-"""initial_schema_20251009_2038
+"""initial_schema_20251015_1228

-Revision ID: ccb1465b527e
+Revision ID: 1949ed96e20e
 Revises: 
-Create Date: 2025-10-09 20:38:25.308184+02:00
+Create Date: 2025-10-15 12:28:44.373103+02:00

 """
 from typing import Sequence, Union

 from alembic import op
 import sqlalchemy as sa
-
+from sqlalchemy.dialects import postgresql

 # revision identifiers, used by Alembic.
-revision: str = 'ccb1465b527e'
+revision: str = '1949ed96e20e'
 down_revision: Union[str, None] = None
 branch_labels: Union[str, Sequence[str], None] = None
 depends_on: Union[str, Sequence[str], None] = None
@@ -20,6 +20,38 @@ depends_on: Union[str, Sequence[str], None] = None

 def upgrade() -> None:
    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('audit_logs',
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('tenant_id', sa.UUID(), nullable=False),
+    sa.Column('user_id', sa.UUID(), nullable=False),
+    sa.Column('action', sa.String(length=100), nullable=False),
+    sa.Column('resource_type', sa.String(length=100), nullable=False),
+    sa.Column('resource_id', sa.String(length=255), nullable=True),
+    sa.Column('severity', sa.String(length=20), nullable=False),
+    sa.Column('service_name', sa.String(length=100), nullable=False),
+    sa.Column('description', sa.Text(), nullable=True),
+    sa.Column('changes', postgresql.JSON(astext_type=sa.Text()), nullable=True),
+    sa.Column('audit_metadata', postgresql.JSON(astext_type=sa.Text()), nullable=True),
+    sa.Column('ip_address', sa.String(length=45), nullable=True),
+    sa.Column('user_agent', sa.Text(), nullable=True),
+    sa.Column('endpoint', sa.String(length=255), nullable=True),
+    sa.Column('method', sa.String(length=10), nullable=True),
+    sa.Column('created_at', sa.DateTime(timezone=True), nullable=False),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index('idx_audit_resource_type_action', 'audit_logs', ['resource_type', 'action'], unique=False)
+    op.create_index('idx_audit_service_created', 'audit_logs', ['service_name', 'created_at'], unique=False)
+    op.create_index('idx_audit_severity_created', 'audit_logs', ['severity', 'created_at'], unique=False)
+    op.create_index('idx_audit_tenant_created', 'audit_logs', ['tenant_id', 'created_at'], unique=False)
+    op.create_index('idx_audit_user_created', 'audit_logs', ['user_id', 'created_at'], unique=False)
+    op.create_index(op.f('ix_audit_logs_action'), 'audit_logs', ['action'], unique=False)
+    op.create_index(op.f('ix_audit_logs_created_at'), 'audit_logs', ['created_at'], unique=False)
+    op.create_index(op.f('ix_audit_logs_resource_id'), 'audit_logs', ['resource_id'], unique=False)
+    op.create_index(op.f('ix_audit_logs_resource_type'), 'audit_logs', ['resource_type'], unique=False)
+    op.create_index(op.f('ix_audit_logs_service_name'), 'audit_logs', ['service_name'], unique=False)
+    op.create_index(op.f('ix_audit_logs_severity'), 'audit_logs', ['severity'], unique=False)
+    op.create_index(op.f('ix_audit_logs_tenant_id'), 'audit_logs', ['tenant_id'], unique=False)
+    op.create_index(op.f('ix_audit_logs_user_id'), 'audit_logs', ['user_id'], unique=False)
    op.create_table('sales_data',
    sa.Column('id', sa.UUID(), nullable=False),
    sa.Column('tenant_id', sa.UUID(), nullable=False),
@@ -100,4 +132,18 @@ def downgrade() -> None:
    op.drop_index('idx_sales_date_range', table_name='sales_data')
    op.drop_index('idx_sales_channel_date', table_name='sales_data')
    op.drop_table('sales_data')
+    op.drop_index(op.f('ix_audit_logs_user_id'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_tenant_id'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_severity'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_service_name'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_resource_type'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_resource_id'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_created_at'), table_name='audit_logs')
+    op.drop_index(op.f('ix_audit_logs_action'), table_name='audit_logs')
+    op.drop_index('idx_audit_user_created', table_name='audit_logs')
+    op.drop_index('idx_audit_tenant_created', table_name='audit_logs')
+    op.drop_index('idx_audit_severity_created', table_name='audit_logs')
+    op.drop_index('idx_audit_service_created', table_name='audit_logs')
+    op.drop_index('idx_audit_resource_type_action', table_name='audit_logs')
+    op.drop_table('audit_logs')
    # ### end Alembic commands ###
--- a/services/sales/requirements.txt
+++ b/services/sales/requirements.txt
@@ -36,4 +36,5 @@ aio-pika==9.3.1
 # Note: pytest and testing dependencies are in tests/requirements.txt

 # Development
-python-multipart==0.0.6
+python-multipart==0.0.6
+redis==5.0.1